Posted
by
samzenpus
on Wednesday April 27, 2011 @06:36PM
from the lick-em-while-their-down dept.

suraj.sun writes "Like clockwork, the first lawsuit resulting from the security breach of the personal data of more than 75 million Sony PlayStation Network customers has been filed. The suit was filed today on behalf of Kristopher Johns, 36, of Birmingham, Ala., in the US District Court for the Northern District of California. Johns accuses Sony of not taking 'reasonable care to protect, encrypt, and secure the private and sensitive data of its users.' He also believes Sony took too long to notify him and other customers that their personal information had been exposed. Because of that, the complaint alleges, Sony did not allow its customers 'to make an informed decision as to whether to change credit card numbers, close the exposed accounts, check their credit reports, or take other mitigating actions.'"

I still have yet to hear a single word out of Sony. Had I not seen the Playstation Blog post, I would have known NOTHING about the severity of this issue until it hit all the major news outlets.

Sadly, I know how this is going to turn out. There will be a class-action suit in which Sony is fined heavily. But the vast majority of the money will go to some shark lawyer, and the only thing the people affected by this will receive is a free 1-month subscription to PSN+. Actually, I'll be surprised if they even give us that much.

If this DOES go class-action, I will definitely be on the lookout for my notice to opt out. If I see any erroneous charges on my card stemming from this massive amount of incompetence, I want to retain my full legal right to bring my own suit against Sony where they will be required to provide me with credit monitoring and credit fraud protection. I'm sorry, but a boilerplate "we're sorry" and some token gesture are NOT going to cut it here.

We have discovered that between April 17 and April 19, 2011,certain PlayStation Network and Qriocity service user accountinformation was compromised in connection with an illegal andunauthorized intrusion into our network. In response to thisintrusion, we have:

1) Temporarily turned off PlayStation Network and Qriocity services;

2) Engaged an outside, recognized security firm to conduct a fulland complete investigation into what happened; and

We greatly appreciate your patience, understanding and goodwillas we do whatever it takes to resolve these issues as quickly andefficiently as practicable.

Although we are still investigating the details of this incident,we believe that an unauthorized person has obtained the followinginformation that you provided: name, address (city, state, zip), country,email address, birthdate, PlayStation Network/Qriocity password and login,and handle/PSN online ID. It is also possible that your profile data,including purchase history and billing address (city, state, zip),and your PlayStation Network/Qriocity password security answers mayhave been obtained. If you have authorized a sub-account for yourdependent, the same data with respect to your dependent may havebeen obtained. While there is no evidence at this time that creditcard data was taken, we cannot rule out the possibility. If you haveprovided your credit card data through PlayStation Network or Qriocity,out of an abundance of caution we are advising you that your creditcard number (excluding security code) and expiration date may havebeen obtained.

For your security, we encourage you to be especially aware of email,telephone and postal mail scams that ask for personal or sensitiveinformation. Sony will not contact you in any way, including by email,asking for your credit card number, social security number or otherpersonally identifiable information. If you are asked for this information,you can be confident Sony is not the entity asking. When the PlayStationNetwork and Qriocity services are fully restored, we strongly recommend thatyou log on and change your password. Additionally, if you use your PlayStationNetwork or Qriocity user name or password for other unrelated services oraccounts, we strongly recommend that you change them as well.

To protect against possible identity theft or other financial loss, weencourage you to remain vigilant, to review your account statements andto monitor your credit reports. We are providing the following informationfor those who wish to consider it:- U.S. residents are entitled under U.S. law to one free credit report annuallyfrom each of the three major credit bureaus. To order your free credit report,visit www.annualcreditreport.com or call toll-free (877) 322-8228.

- We have also provided names and contact information for the three major U.S.credit bureaus below. At no charge, U.S. residents can have these credit bureausplace a "fraud alert" on your file that alerts creditors to take additional stepsto verify your identity prior to granting credit in your name. This service canmake it more difficult for someone to get credit in your name. Note, however,that because it tells creditors to follow certain procedures to protect you,it also may delay your ability to obtain credit while the agency verifies youridentity. As soon as one credit bureau confirms your fraud alert, the othersare notified to place fraud alerts on your file. Should you wish to place afraud alert, or should you have any questions regarding your credit report,please contact any one of the agencies listed below:

investors in other companies will start asking the CIO to ensure security at any cost

Really? Any cost? There is no such thing as a completely secure network or computer (that provides a usable amount of capability) and getting to a high level can be very, very expensive. Are you willing to give up e-commerce? The ability to get government services online? Your gmail accounts? (Google, after all, quite publicly got hacked, yet you continue to use them.)

Don't want to lose money as an investor? Sell you shares for this shitty corporation.
Don't want to lose your job? Don't work for corporate douche-bags with shitty ethics.
Shit's simple, huh?;)

I'd say simplistic, not simple. What does the guy putting together headphones know whether or not the PSN security guys are hashing the passwords? I don't really understand it, and I'm here. With a corporation even a tenth of the size of sony, it's unlikely that every employee and investor to know what liabilities every other employee is or is not opening the company up to and thereby risking their jobs.

It's not like these guys were working for "Child molesting inc," the ethic violations here, if any,

Maybe it's possible to work in one division of a major corporation and have no idea what the other divisions are doing. If so, my money's on the fact that the corporate legal team has made it such that separate divisions are indeed separate entities, and gross failure on the games division won't destroy the foundations of the other divisions.If you're company is not that big, take a clue from the corporate culture which is usually used to sell a potential employee - "we're sure you'll love it here, as our c

Maybe it's possible to work in one division of a major corporation and have no idea what the other divisions are doing.

MAYBE it's possible? My friend, you have clearly never worked at even a mid-sized company, let alone a big one.

My previous employer had about 200 employees scattered across three cities. People in my department had never met and had absolutely no idea who various other employees were or what they were doing, let alone having any authority over the choices they made. Now I work for a company that has more employees than there are residents in the city of Madison, Wisconsin. I have no more knowledge of what a

Regardless of who you attempt to hold accountable, when the payouts are coming from the company the employees will always lose to some degree. yet people get fired all the time for things that aren't their fault because its in "the best interest of the company", we can't protect a dodgy company because it will cause some sort of unemployment. would we not send a father of 3 to jail for fraud just because his family survive of his ill gotten gains? why make that exception for a company?

You realize that Sony's _ENTIRE_ gaming division operates at a NET LOSS, right?

Gee, how did I miss that in school?

Sony makes its money in the FINANCIAL SECTOR and subsidizes its gaming business. This lawsuit (even if it's in the billions) will NOT bring Sony down. So some research about the background of the company, before posting BS like this again... Thanks.

I'm not sure how "Sony's gaming division loses money all the time" translates into "Sony's gaming division losing billions more than usual cannot possibly harm the rest of sony."

By the way, relax a little. Why are you that upset about someone being ignorant of the intricacies of Sony's corporate structure?

I just now got the notification in my email (literally about 30 seconds ago). This was on the Playstation Blog WELL over 24 hours ago, and I'm only just now getting a notification (which states the exact same thing). There is no excuse for taking this long.

We at Sony are deeply sorry for the worry and risk to your financial security we have caused. We are committed to fix our errors and making financial settlements. Please click on the link below and provide your bank account number so that we may deposit the amount of $11,000.

I got this e-mail from Sony [playstation.com] this morning. A little late, perhaps? <sarcasm>

Though here's a question: How many other companies have the backbone to own up quite so readily, instead of trying to cover it up to save face?

Don't get me wrong, I'm not trying to defend Sony (after all, it seems thay they're finally getting help to make their system more secure, implying that their efforts were not solid enough to start with). But what I am saying is that I generally don't trust businesses to keep secure pe

It takes time to find out what has been compromised. The hacker won't just come out and say "All your base are belong to us" Sony told us when they found out. If they did say that there is a possibility on day one that it may be compromised then there would be a lot of hectic and closing bank accounts on an hunch. If nothing had been compromised and they told us it may be (on day one) then people would be mad and still sued Sony for misleading them. Crap happens, suing doesn't make it better. Plus nobody sa

It's funny how Sony works so hard to protect their data and content via all their DRM attempts, when it's their customer's - not so much. On the other hand, they now have something to point to when people want to run whatever OS they want to run on their machines. Still, they can't stop it, they should focus on keeping their customer's credit card info out of harm's way (remind me why they need to keep persistent credit card data anyway? That should be an opt in only type of thing, with a required expiration date otherwise.) On a related note, when I set up a new account at my bank they only allow alpha-numerics with no special characters. WTF? Try to explain rainbow tables to a bank representative. So I used all of them... I had the longest password she had ever seen.

Doesn't everyone here remember their credit card number anyway? It's 2 phone numbers. I guess if you have multiple credit cards it could be an issue, but doing so must have saved me literally tens of minutes.

Actually I just got a notifaction from Sony abou this today.And According to this http://vgn365.com/2011/04/26/psn-users-reporting-hundred-of-dollars-stolen-from-them/The CC's are already in the wild.I know Visa is aware of the issue. They have reissued me a new card based on this information.So yea it could go somewere

Our wonderful, conservative-activist Supreme Court just ruled today that any company may stick a line in their EULA stating that by using their product, you forfeit the right to sue, and must instead use a private arbiter of the corporation's choice. They based this decision on a 90 year old law that was written to cover maritime shipping disputes.

Of course, since most contracts these days state that the corporation has the right to change the terms at any time without notice, this basically means that you can no longer sue a company that you've entered into a contract with.

Still think you have rights? Not as long as a Republican holds office!

Um, you completely don't understand this. Arbitration is a long-standing method of settling a dispute between parties. It is extremely common in Professional Services engagement agreements, and it is also very common in other service agreements. I'm quite sure almost every agreement you sign for internet, phone, electricity, cable TV, etc also includes arbitration language.

Arbitration is a good thing. It allows small matters to be handled quickly, less expensively, and without mucking up our already c

If by "go to the business" you mean the customer was charged $30.22 extra, and the business offered $30.22 credit, and the customer wanted arbitration, and the arbitrator decided on $30.22, then yes, I stand by his statement.

Our wonderful, conservative-activist Supreme Court just ruled today that any company may stick a line in their EULA stating that by using their product, you forfeit the right to sue, and must instead use a private arbiter of the corporation's choice.

Not true, actually. They ruled [npr.org] that customers that have signed a contract with a clause to that effect are bound to it. AFAIK, there is no settled case law saying that a shrinkwrap EULA is equivalent to a valid, signed contract.

EULAs don't trump consumer laws, especially in europe. You don't have a signature on a EULA, they don't mean jack shit over here. The ICO (information comissioner's office) - responsible for the data protection laws in the UK is already looking into this.

PSN is free, so it's hard to imagine how anyone is entitled to any compensation there unless it's through a goodwill gesture by Sony (which they definitely should do).No proof yet any credit cards have actually been compromised. And before you all get puffy and worked up, literally, NO PROOF of any CC problems that can be linked to the PSN breach have been proven (yet).There's no way the banks would allow Sony to have access to CC accounts without being regularly audited, never heard of any problems there. So I would think it's safe to assume they've been following safe business practices or else we would have heard something by now.According to latest reports, Sony reported the possibility of account & CC details being compromised a little over a day after they found out. Difficult to claim that's an egregious length of time given the circumstances.

With all that plus the fact that it's common knowledge that Sony has been repeatedly targeted by hackers and thieves out of revenge for Sony having the audacity to protect their network and customers, this lawsuit is going to have a very difficult time making any headway.

So what is exactly this lawsuit about? Since this originates in the US (the most litigious country in the world) I say it's just more ambulance chasing i.e. business as usual.

1) PSN is free, but that doesn't mean anything. The information I've given Sony have been given in the assumption that they would be kept with a modicum of safety. This was obviously not the case. It's even worse if the credit cards have indeed been compromised, in which case monetary compensation is far from being out of the question.

2) Reported a day after, where? I'm sorry, but saying it somewhere on the internet doesn't count. If you don't contact your customers on agreed-upon areas (email is the sole o

> NO PROOF of any CC problems that can be linked to the PSN breachPretty hard to prove in the best of cases. You could just as easily go the other way and have Sony prove someone else leaked the card. You'd need to track down the source of the fraudulent charges and keep tracking right to the source in both cases.

> no way the banks would allow [...] without being regularly auditedAre you really suggesting that banks audit their corporate customers' software, on a

Look at the Davidson data breach class action lawsuit [topclassactions.com] for a case extremely similar to this one. There's also the (still pending as far as I can tell) Citizens Financial Bank [chicagobus...erblog.com] breach case. Not following the standards of the industry for securing this sort of data can absolutely lead to a class action settlement, even if there is no hard written security standard.

There's also some additional services that require a card on record at Sony tied to your PSN account (Qriocity and Playstation+). There's also the stored card information for your wallet if you set that up as well.

Maybe this lawsuit will require them to come forward with the steps they *did* take. Up until now, it's largely been speculation. If they locked the door but left open a window, I want to know. And I want to know how open that window was left.

When I ran a server that contained sensitive customer data, I left the database open and without a password. That way if someone was going to hack me, I didn't have to buy a new password.
Analogy fail.

Smart man. I leave my car unlocked too so the crack-heads can just take the $1.27 from my ashtray and save me the trouble of buying a new car window every time I park out on the street.

Problem here is, it wasn't Sony's $1.27 that was lost. It was my stuff lost, and 77 million other people..... The biggest problem of all is that Sony did not alert their customers in a timely manner. Fuck Sony.

Nominated for this week's dumbest comment. A closed window is a deterrent. An open window is an invitation.

This is incorrect. This is the same argument used to lull people into a false sense of security that is used to sell "The Club" for auto security. Back in the 90's I had a number of car stereos stolen, very high end equipment, highly prized by crooks. Both were stolen from fully secured vehicles. After the second one, I talked to the installer of the third, who also sold car alarms and other security devices. His advice was to leave the doors unlocked and have insurance. Breaking into a car, or a home

"For starters, they transmitted CC numbers in plain text over the Internet."

No they didn't.

They transmitted CC numbers over SSL over the internet, and some dipshit reinvented the wheel and "discovered" that he could spoof a cert on his own system and decrypt his own data, then he started claiming the info was sent unencrypted, and people like you read the headlines and started making the same claim everywhere else.

Sony is an absolute shitfuck of a company (to coin a phrase), but you can't claim this one wit

The problem is that it is never a "well funded crime kingpin" and most often a 15-30 year old or an (ex) employee that noticed some gaping, obvious security flaw. Data breaches like this are rarely the work of huge "cyber gangs" and mostly the work of individuals who noticed some huge flaw that Sony had. The crime kingpins wouldn't bother with something like this because it is a whole lot easier to sell botnets with 3nl@rg3 y0ur p3n15 spam.

The problem is that it is never a "well funded crime kingpin" and most often a 15-30 year old or an (ex) employee that noticed some gaping, obvious security flaw. Data breaches like this are rarely the work of huge "cyber gangs" and mostly the work of individuals who noticed some huge flaw that Sony had. The crime kingpins wouldn't bother with something like this because it is a whole lot easier to sell botnets with 3nl@rg3 y0ur p3n15 spam.

Twenty years ago you may have been right, but these days botnets are a multi-million dollar operation, underground black markets sell botnet time just like Amazon sells computer cycles, and cyber-gangs sell credit card numbers for a few dollars a pop. Cracking isn't the sole province of bored kids typing away from their parents' basement anymore; it's an industry, staffed by professionals.

I'm not sure I buy that first part, given that no online service is ever going to be 100% secure.

Reasonable care would imply robustly isolating transaction processing systems and user accessible systems from systems that store primary account numbers such as credit card/bank account numbers from online/public access systems such as the internet, or the playstation network.

Reasonable care would include complying with PCI requirements, relating to auditing, security practices, separation of computer systems by role, and enforcing strong unique access credentials for users and systems.

So that a compromise of the publicly accessible network cannot lead to compromise of the account numbers.

This is highly doable. The only commands/services the PSN/publicly accessible servers need from account servers is a command to "add a new account number" to the database linked to a certain customer,
a command to "erase an account number", a command to list privacy-filtered summary to display a 'delete' user interface,
and a command "authorize/charge a transaction to account number" (without revealing what the number actually is to the transaction processing server).

Yes and no. Being an Xbox Live player (hate to say this cause its MS we are talking about) but you can enjoy gaming without the posibility for account Hijacking. The only real problems Live has is people boosting the game.

PS on the otherhad, first off its a free service, 2nd it's continually having Script kiddes hack the game steal accounts. In fact I don't think I have ever met a single PS player that hasnt had their game hacked, messed with, or account stolen.

Being an Xbox Live player (hate to say this cause its MS we are talking about) but you can enjoy gaming without the posibility for account Hijacking.

That's actually not true. XBL support has a notoriously bad track record when it comes to social engineering and giving away your account details to attackers. There were quite a few articles about it a few years back (here's one from a quick search [mtv.com]). I think it's actually more of a threat since a valid credit card is required for XBL Gold accounts.

Aside from the ethics behind boosting, nothing really. I agree with you on that Sony needs to be pulled into line regarding this. I know so many clueless 15 year olds that habitually steal PS accounts.

PCI isn't even going to come into play here which is quite astonishing. The upset consumer going for the cash grab wont be the issue. It will be Mastercard and Visa.

Passwords should not be stored either in an encrypted state or not, a one way hash value should be generated based on the password entered, this should be then salted and then that stored on the server. Then whenever the user logs in, the hash value of what they entered should be compared with the hash value thats stored and see if that matches. If it does then bobs your uncle, you are successfully logged in. I'm furious with Sony that they stored my password in manner which could be retrieved.

"salting is a bit overrated... If they have access to your machine they know what salt you've done, leaving you vulnerable to brute force attacks."

Sure, but it throws off rainbow tables nicely. Adding a little something into the mix that means any pre-computed list of hashes on the top billion or so obvious alphanumeric passwords is now useless, as we've stuffed in some binary crap. Brute force is now the only option, where before we could potentially break all the passwords using a single pre-executed brut

It should not be possible to get card data out of your transaction processing server. That should be obvious. It should be able to receive card data and a linked account, and accept and confirm transactions from the linked account, but it should be completely unable to transmit card data. Obviously, card data should not be stored outside the transaction processing server in any form, format or fashion.

Now his bank and the payment card industry should be the ones taking the strongest stance against Sony; since it's the banks that most immediately bear the cost of fraud (due to policy of $0 liability for unauthorized account use; once the account owner identifies the transactions as fraudulent).

The banks won't lose a cent. They will turn around and charge all of that fraud back to the merchants who accepted the charges.

Private financial information was breached. That in itself is the harm, regardless of any credit theft subsequent to the breach. Even if Sony's network hadn't been breached, insecurely keeping financial records alone is in itself a harm to those individuals. Consider a bank that has never been robbed that keeps all its customers' money in piles in plain view in front of the bank. A customer could sue the bank for negligence even if there was no theft.

And sitting on something like this for a week -is- a problem. When you have possibly exposed the equivalent of 25% of the US population to credit card fraud, the world needs to know. This isn't some "oh whoops, one of our laptops is missing" instead this is a data breach affecting 77 million people. And to say -nothing- is completely irresponsible. A week is a pretty long time to not say -anything- and to just hope that it will go away.

Even someone who has your personal information for a few hours can cause havoc in your life, let alone for an entire week.

This is gross hyperbole. 77million accounts were compromised but that many people didn't have credit card information on there. A generous estimate would be 10% of accounts had CC information saved. Delusions of Grandeur

Attempts to estimate the impact:

Assuming a USD1000 in CC fraud for each CC: 10% x 77 mils x USD1000 = USD7700 - to be supported by either the owners of CC or CC companies;

Also a good idea to not use real names and push credit card companies to develop a system of one-time tokens that are only good for a single buyer-seller relationship ( or even for a single translation ) so that the stolen information has little value.

Wow, I don't think you actually read that document. That opinion had absolutely nothing to do with Products or Services, and it doesn't disable class status for lawsuits. It states that an arbitration agreement that disallows class arbitration is allowable. Basically, if you sign away your right to arbitration by class action, that is valid, and you can't later invoke class-wide arbitration.

Hell yes it's a bad thing! When a large corporation can use a shrink-wrap EULA to force you into binding arbitration (read: a "court" they have literally bought and paid for), you will never again see that corporation bother with proper customer service. Remember, according to Sony you don't actually own your PS3; by signing up for the PSN, you are effectively renting that machine from Sony. From here on out, the customer is always wrong: our kangaroo court says so!

Given that Sony simply imported the data from one "child" company to another I don't expect that the owner of the company matters. It interests me that by closing the service on one company and opening it on another (along with a completely new TOS), would clauses regarding forcing a customer to use arbitration then be rendered void? The EULA is a legal document which supposedly forms a contract between one party and another; by failing to continue to provide service on the original company sony has breac

Usually I am against the rampant lawsuits over hot coffee and anything else the shills can think of, but this is one I am in favor of.Sony seems to have taken over as the current best example of "Evil Large Corporation" in the public eye, and deservedly so.

You must be confused, I haven't seen Sony behave in an evil way that is at all dissimilar to the other evil companies (MS, Apple, Nintendo, etc). So why should they be given the title of "best example of ELC".

Apple and Sony both sell devices whose firmware was jailbroken. Both jailbreak methods were made available through significant contributions from George Hotz. One of them brought Hotz to court. Guess Who.

That's just retarded, really? Why is Slashdot so full of trolling anti-Sony's? Have you ever been a systems administrator? It takes time and effort to actually detect and then judge the severity of a given attack. One week does not seem like a big deal from -woops we have a big problem- to sending out a formal acknowledgement of the issue. Hell, it would take at LEAST 1 day for a Sony rep to officially write up the disclosure in legally tin foil jargon and probably another for the notice to be translated in